Secure Storage and Keychain Access in Flutter

Introduction

Managing sensitive data such as API tokens, user credentials, or private keys demands a robust approach. Flutter secure storage leverages each platform’s native safeguards—Keychain on iOS and Keystore on Android—to encrypt and isolate secrets. This tutorial dives into intermediate patterns for secure storage and keychain access, focusing on the flutter_secure_storage plugin and platform-specific configurations.

Setup & Installation

Add the official dependency to your pubspec.yaml:

dependencies:
  flutter_secure_storage

Then run flutter pub get.

On iOS, ensure you have these entitlements enabled in Xcode:

• Keychain Sharing

• Access Groups (if sharing across apps)

No extra native libraries are needed for Android; the plugin uses AndroidX and Jetpack Security under the hood.

Using Flutter secure storage

Import and instantiate the storage client once, preferably in a service or repository layer:

import 'package:flutter_secure_storage/flutter_secure_storage.dart';

final storage = FlutterSecureStorage();

Write, read, and delete operations are async and straightforward:

Future<void> cacheAuthToken(String token) async {
  await storage.write(key: 'auth_token', value: token);
}

Future<String?> fetchAuthToken() async {
  return await storage.read(key: 'auth_token');
}

Future<void> clearAuthToken() async {
  await storage.delete(key: 'auth_token');
}

Close variants such as reading all keys or bulk deletion are supported:

• storage.readAll() returns a map of all key-value pairs.

• storage.deleteAll() removes every entry.

Platform-Specific Customization

flutter_secure_storage exposes platform options to tune encryption parameters or access controls.

iOS Keychain Options

const iosOptions = IOSOptions(
  accountName: 'com.example.myapp',
  synchronizable: true, // iCloud sync
  accessibility: KeychainAccessibility.first_unlock,
);
await storage.write(
  key: 'refresh_token',
  value: refreshToken,
  iOptions: iosOptions,
);

KeychainAccessibility levels include:

• after_first_unlock – accessible once after device boot.

• when_unlocked – only when the device is unlocked.

• when_passcode_set_this_device_only – highest security, non-migratable.

Android Keystore Options

const androidOptions = AndroidOptions(
  encryptedSharedPreferences: true,
  keyAlias: 'my_app_key',
);
await storage.write(
  key: 'biometric_key',
  value: biometricSecret,
  aOptions: androidOptions,
);

Parameters:

• encryptedSharedPreferences – wraps SharedPreferences with Jetpack Security.

• keyAlias – identifies the AndroidKeyStore entry.

Migrating from plain SharedPreferences

1. Read existing values.

2. Write into secure storage.

3. Delete legacy entries.
   This ensures users aren’t forced to re-authenticate on update.

Best Practices for Secure Storage

• Minimize stored data: keep only what’s essential.

• Rotate keys periodically; store rotation timestamps.

• Use biometric or PIN fallback when exposing secrets at runtime.

• Handle exceptions (e.g., locked keychain or missing keystore) gracefully.

• Test on real devices to verify Keychain entitlements and Keystore availability.

Vibe Studio

Vibe Studio, powered by Steve’s advanced AI agents, is a revolutionary no-code, conversational platform that empowers users to quickly and efficiently create full-stack Flutter applications integrated seamlessly with Firebase backend services. Ideal for solo founders, startups, and agile engineering teams, Vibe Studio allows users to visually manage and deploy Flutter apps, greatly accelerating the development process. The intuitive conversational interface simplifies complex development tasks, making app creation accessible even for non-coders.

Conclusion

Implementing Flutter secure storage and native keychain access effectively shields sensitive data in your app. By combining the flutter_secure_storage plugin with carefully chosen iOSKeychain and AndroidKeystore options, you achieve a balanced mix of security and usability. Review your threat model periodically and adapt accessibility settings as needed.